Changes

= Firewall Wrapper Module =This is a light wrapper around the `firewall` and 'pf' module (which . It provides transparency for writing firewall rules that may be interchangeable between both OSX and Linux<br />The fw module uses a 'Roles & Profiles' framework for managing and applying firewall rules in a simple and easy way. A role is https:made up of individual rules grouped together on a source//githubapplication basis. Profiles are a collection of roles.com<br /puppetlabs><br /puppetlabs-firewall).>

In particular=== Defining ports and protocols for applications ===Each application must be defined in the '''$app_proto_port''' hash within the [https://hg.mozilla.org/build/puppet/file/tip/modules/fw/manifests/apps.pp apps.pp manifest].For example: 'http' => { proto => 'tcp', port => '80' }, 'https' => { proto => 'tcp', port => '443' }, 'puppet' => { proto => 'tcp', port => '8140' }, when  === Defining hosts and networks ===All sources should be defined within the networks.pp manifest. All variables defined here are arrays even if it is a firewall is activatedsingle element array.Valid sources are:* CIDR blocks* Single IP CIDR blocks  === Roles ===For example, this module includes some basic flowsrole allows all sources to the puppet master listening ports: class fw::roles::puppetmaster_from_all_releng { include fw::networks fw::rules { 'allow_puppetmaster_http': sources => $::fw::networks::all_releng, app => 'http' } fw::rules { 'allow_puppetmaster_https':* SSH sources => $::fw::networks::all_releng, app => 'https' } fw::rules { 'allow_puppetmaster_puppet': sources => $::fw::networks::all_releng, app => 'puppet'* established connections }* ICMP }* Nagiosand denies In this example, this role allows ssh access from all others not specifically added.puppetmasters (for rsync): class fw::roles::puppetmaster_sync_from_all_puppetmasters { include fw::networks fw::rules { 'allow_puppetmaster_sync': sources => [ $::fw::networks::non_distingushed_puppetmasters, $::fw::networks::distingushed_puppetmaster ], app => 'ssh' } }

To simply activate And finally, this role allows ssh access from the firewall, but not allow any additional flowsjumphosts: class fw::roles::ssh_from_rejh_logging { include fw::networks fw::rules { 'allow_ssh_from_rejh_logging': sources => $::fw::networks::rejh, app => 'ssh', log => true } }

To activate === Profiles ===Now we can take the firewall previous roles and allow build a specific flowprofile for the distinguished puppetmaster: class fw::profiles::distinguished_puppetmaster { include ::fw::roles::puppetmaster_from_all_releng include ::fw::roles::puppetmaster_sync_from_all_releng include ::fw::roles::ssh_from_rejh_logging }'''Note:''' the ssh role is a logging role, therefore it will log the connections in addition to allowing connections

=== Using profiles ===To apply this profile to the distinguished puppetmaster, simply include the profile in the node definition. Here we also include a node scope variable ($fw_allow_all) which changes the default policy to allow all traffic. node 'releng-puppet2.srv.releng.scl3.mozilla.com' { $aspects = [ 'maximum-security' ] $fw_allow_all = true include fw::port {profiles::distinguished_puppetmaster "tcp/3399"include toplevel::server:: ;puppetmaster

=== Logging ===Logging can be enabled for any rule. Simply add 'log => true' to the rule being defined with fw::rules. This will cause the connection to be logged when the connection state is created.<br />For example: fw::rules { 'allow_vnc_from_anywhere_logging': sources => $::fw::networks::everywhere, app => 'vnc', log => true } === Default policy and overriding it ===The default policy for both IPTables and PF is '''default deny'''. This also means every rule within a role is an explicit '''allow connections rule'''.<br />If you wish to tcpoverride the default deny policy for testing purposes, you must set the node scope variable ($fw_allow_all) explicitly '''true''' within the node definition.<br /3399 from any IP> $fw_allow_all = true'''Note:''' To re-enable the default deny policy, simply remove the node scope variable === Global allowed flows ===The only globably allowed flows for both IPTables and PF are:* established connections* ICMPAll other flows are denied unless explicitly added.